An AI agent is an autonomous software system powered by a large language model (LLM) that can perceive its environment, reason about tasks, use external tools, and take multi-step actions to achieve goals — with minimal human intervention per step. Unlike a chatbot, an agent doesn't just answer questions; it acts.
What Makes Something an Agent?
The term "AI agent" gets used loosely. The meaningful definition centers on three properties:
Autonomy. The system makes decisions across multiple steps without requiring human approval at each step. It observes a result, reasons about the next action, and proceeds.
Tool use. The system can call external capabilities: search engines, APIs, code interpreters, file systems, databases, communication channels. These tools extend the agent's reach beyond the model's training data into the real world.
Goal-directedness. The system is trying to accomplish something. Not just respond to a prompt, but complete a task that may require planning, error recovery, and adapting to new information.
When all three are present, you have an agent — and you have a security problem.
The Security Implication
A chatbot that answers questions has a bounded blast radius: wrong answers, misleading information. The harm is informational.
An agent that can read your email, send messages, query your database, execute code, and make API calls on your behalf has an unbounded blast radius. Wrong actions don't just produce bad information — they produce bad state in the world. Deleted files, sent emails, exfiltrated data, purchased goods, escalated permissions.
This is why agentic security is a distinct discipline from "AI safety" or "content moderation." The threat model is different. The question isn't whether the agent says the wrong thing — it's whether the agent does the wrong thing, and how bad that can get.
Multi-Agent Systems
Modern deployments often chain multiple agents together: an orchestrator agent that plans, delegating to subagents that execute specific tasks. Multi-agent architectures multiply the attack surface:
- A compromised subagent can poison the orchestrator's reasoning.
- Trust relationships between agents are often implicit and unverified.
- An attacker who controls one node in the chain may be able to redirect the entire pipeline.
MoltBook's research on the "multi-agent intent gap" (2026) found that orchestrators routinely accept instructions from subagents without verifying whether those instructions align with the original user's goals. Each delegation step is an opportunity for adversarial hijacking.
Real-World Examples
- Cursor, GitHub Copilot, Devin — coding agents with file system access, terminal access, and the ability to make git commits and push to remote repositories.
- Salesforce AgentForce — business process agents that read lead data, send emails, and update CRM records.
- Notion AI, Slack AI — productivity agents that read and write documents and messages across an organization.
- Apono AI — an access management agent that handles permissions requests, provisioning, and access reviews.
FAQ
Is a chatbot an AI agent? No, by the definition that matters for security. A chatbot that only generates text has no tools and no persistent state — its blast radius is purely informational. An agent has tools and can affect external systems. That's the distinction that matters.
What's the difference between an agent and a pipeline? A pipeline is a fixed sequence of steps. An agent decides its own next step based on what it observes. Agents are adaptive; pipelines are deterministic. Most production systems are somewhere in between.
Do AI agents need memory to be dangerous? No. Even a stateless agent — one with no persistent memory — is dangerous if it has powerful tools. Memory amplifies the danger by letting past context influence future actions, but the blast radius from tool access exists regardless.